I need a working sample config based on these simple details:
Outside 172.16.1.2 255.255.255.0 level 0
Inside 192.168.0.3 255.255.255.0 level 100
DMZ 192.168.154.1 255.255.255.0 level 50
Web1 172.16.1.7 need to map to DMZ 192.168.154.7 smtp, https
Web2 172.16.1.24 need to map to inside 192.168.0.4 DNS https
1. I would like the inside network to be able to reach any server in the DMZ any service. Also be able to reach the web pages.
2. I would like the DMZ to pass only limted information like port http but I can build from any rule that works.
3.I would like to be able to browse the internet from the DMZ and inside.
I will rate high on any working configurations. I will rate each unique example using varied Nat types.
You have an acl:
access-list dmz_access_in extended permit ip 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0
But you're not allowing traffic back in:
permit ip 192.168.0.0 255.255.255.0 any
If the above acl doesn't work, try to do "permit ip any any" to see if you can get ANY traffic at all.
static (dmz,outside) tcp 172.16.1.7 25 192.168.154.7 25 netmask 255.255.255.255
static (dmz,outside) tcp 172.16.1.7 443 192.168.154.7 443 netmask 255.255.255.255
static (inside,outside) udp 172.16.1.24 53 192.168.0.4 53 netmask 255.255.255.255
static (inside,outside) tcp 172.16.1.24 443 192.168.0.4 443 netmask 255.255.255.255
1) static (inside,DMZ) 192.168.0.0 192.168.0.0 netmask 255.255.255.0
You don't need an acl because it is going from inside to DMZ
2) access-list DMZ_in permit tcp 192.168.154.0 255.255.255.0 192.168.0.0 255.255.255.0 eq 80
This would allow all hosts on DMZ to talk to any host on inside on port 80. As you say you can narrow it down.
3) nat (inside) 1 192.168.0.0 255.255.255.0
nat (dmz) 1 192.168.154.0 255.255.255.0
global (outside) 1 interface
Again you don't need acl because you are going from higher to lower security level interfaces.